Swen Worm--How does it work?

Wayne Watson · Sep 21, 2003

I believe it's the swen worm that sends out masses of security pack, microsoft upgrade, ... fake
messages. If I understand this correctly, it infests someone's computer and uses their address book
to send out these messages. Is that correct? That is, if John Doe installs the fake security pack on
his machine, it will then raid his address book and send messages to people in the address book.

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

BT · Sep 21, 2003

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Wayne Watson · Sep 21, 2003

Thanks. If I understand this correctly, it is as I said. I don't have the worm, but someone who has it also
has my e-mail address (in an address book), and the messages orignate from outside my system. I have been
flooded with fake security patch, upgrade, etc. messages. They are all about 150K in size an quickly fill
up my allocation of space on the earthlink mail server. I have to go up and purge them. I talked to
earthlink about this and they said to change my userid. I did, and then contacted everyone in my personal
address book to update to my new e-mail address. For about 12 hours I got a few messages from people I
know. In the last hour I've started to see fake security messages dribble in. Suggestions?

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

Wayne Watson · Sep 21, 2003

One other bit of information. I ran a NAV check on my entire system a short while ago. It took two hours and I
had updated my virus defs on 9/18. Swen was one in the list of defs. No viruses were detected.

Wayne said:
Thanks. If I understand this correctly, it is as I said. I don't have the worm, but someone who has it also
has my e-mail address (in an address book), and the messages orignate from outside my system. I have been
flooded with fake security patch, upgrade, etc. messages. They are all about 150K in size an quickly fill
up my allocation of space on the earthlink mail server. I have to go up and purge them. I talked to
earthlink about this and they said to change my userid. I did, and then contacted everyone in my personal
address book to update to my new e-mail address. For about 12 hours I got a few messages from people I
know. In the last hour I've started to see fake security messages dribble in. Suggestions?

....

Evi · Sep 21, 2003

Groan! I have a horrible feeling that's what my isp will suggest too! And
I'm off on holiday for a couple of weeks so won't be able to perform my
twice daily deletes of 100+messages.

I really liked my ID

and I've got it in all sorts of places.

Evi

Wayne Watson said:
One other bit of information. I ran a NAV check on my entire system a

short while ago. It took two hours and I

Wayne Watson · Sep 21, 2003

In my case, there may be some good news. My ISP is earthlink. They have a facility on their webmail
that allows you to set the level of spam control. One level is high. If you set it to high all mail
goes to a server mail box called suspect spam. If you have an address book on the webmail/server
site, all mail the incoming whose addresses are in the book go right to you. The rest of it goes to
the suspect folder. The good news is that if some of the mail that ends up in the suspect folder is
acceptable, you can hit a button to transfer the e-mail address into your acceptable book. That
makes things a lot easier in constructing such an address book. EL plans to have an importable
address book in Oct., so that'll help.

The only rub on what I said above is whether the stuff going into the suspect folder counts against
your total allotment on the server. If not, one gets screwed if the spam load is heavy. I have a
call into EL at the moment to ask that question.

There's another side to this too for EL users. When stuff goes into the suspect folder, I'm pretty
sure EL puts out a message to the sender that the receiver requires authentication from them. So, in
my mind, why isn't one of my friends asking me for authentication? Of course, it may be that the
return address is a phony. It's also possible a friend had this happen. I did get a message from a
friend asking for permission to reach me. They got stopped by the high level checking. I'll look
into it.

Quite a tangled story.

Back later with what I've discovered.

Groan! I have a horrible feeling that's what my isp will suggest too! And
I'm off on holiday for a couple of weeks so won't be able to perform my
twice daily deletes of 100+messages.

I really liked my ID

and I've got it in all sorts of places.

Evi

short while ago. It took two hours and I

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

Wayne Watson · Sep 22, 2003

I confirmed with EarthLink that although I might be able to control spam better, it's still quite
possible that if a large number of big files were sent to me that I would have problems with exceeding
space quotas. Essentially, I'd have to go up to the web and purge the excess spam stuck in the spam
folder.

I do have an interesting thought about finding who on my mailing list is the source of the spam and
worm. Have selective people remove my name from their address book and put it on paper. If I see a
reduction in fake spam, I'd have a fair idea of what machine is corrupted.

Wayne said:
In my case, there may be some good news. My ISP is earthlink. They have a facility on their webmail
that allows you to set the level of spam control. One level is high. If you set it to high all mail
goes to a server mail box called suspect spam. If you have an address book on the webmail/server
site, all mail the incoming whose addresses are in the book go right to you. The rest of it goes to
the suspect folder. The good news is that if some of the mail that ends up in the suspect folder is
acceptable, you can hit a button to transfer the e-mail address into your acceptable book. That
makes things a lot easier in constructing such an address book. EL plans to have an importable
address book in Oct., so that'll help.

The only rub on what I said above is whether the stuff going into the suspect folder counts against
your total allotment on the server. If not, one gets screwed if the spam load is heavy. I have a
call into EL at the moment to ask that question.

There's another side to this too for EL users. When stuff goes into the suspect folder, I'm pretty
sure EL puts out a message to the sender that the receiver requires authentication from them. So, in
my mind, why isn't one of my friends asking me for authentication? Of course, it may be that the
return address is a phony. It's also possible a friend had this happen. I did get a message from a
friend asking for permission to reach me. They got stopped by the high level checking. I'll look
into it.

Quite a tangled story. Back later with what I've discovered.

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

dcdon · Sep 22, 2003

I definitely have a suggestion.
Read carefully
Add to yours and explain it to others.
In your addressbook place dummy addresses like this
000000000@WORM_ALERT.YES there is an "_" (underscore) between worm and
alert.(under all of'em)
111111111@WORM_ALERT.YES
A
C
G
N
Q
X
X
Z
all the above done like the top two.
If a worm sends email out to everone in your address book, you will get all
of these sent back to by your server with mailer_daemon attached telling you
these are invalid addresses and were returned to you, because you sent them.
That is the ones that don't have their own smtp server. Like the Micorsoft
deal, set Rules in your email porgram to delete all those that come in from
those who have your address in their address books.

Usually the worms with self contained smtp scan on your HDD for any
extensions like .wab and for a week you can transfer this to a floppy and
have it handy, but released until you need it. Make a special not where it
was in a file called Read MeWAB.txt. You can even have one left on the HDD
with the extension changed to your initials and later do a search for *.xyz
(xyz being your initials) and change it back to wab.

Don't keep emails in folders on HDD or do the extension changing trick. They
are .dbx or whatever.

Help others to do this and the worms will go away faster.

There are folks in thirs world countries learning more and more about
internet fraud and wrecking computers they think are hurting the USA and
other countries of Democratic political systems. And I wouldn't be at all
surprized that it becomes a target of terroists, so it could get worse
easily.

Always take the time to send spam notices to the ISP's to make a statement.
It may become just as important as voting, before we're over this.
I trade stock on the internet and it scares me to death. I have several
backup systems in place.

Thanks. If I understand this correctly, it is as I said. I don't have the
worm, but someone who has it also
has my e-mail address (in an address book), and the messages orignate from
outside my system. I have been
flooded with fake security patch, upgrade, etc. messages. They are all about
150K in size an quickly fill
up my allocation of space on the earthlink mail server. I have to go up and
purge them. I talked to
earthlink about this and they said to change my userid. I did, and then
contacted everyone in my personal
address book to update to my new e-mail address. For about 12 hours I got a
few messages from people I
know. In the last hour I've started to see fake security messages dribble
in. Suggestions?

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada
City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0"
W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum:
<home.earthlink.net/~mtnviews/imaginarium.html>

dcdon · Sep 22, 2003

Dang, how much do you have on your HDD that you don't get off of it
timely.?
I have 75,000 files and it takes about 10 minutes.

don
------

One other bit of information. I ran a NAV check on my entire system a short
while ago. It took two hours and I
had updated my virus defs on 9/18. Swen was one in the list of defs. No
viruses were detected.

Wayne said:
Thanks. If I understand this correctly, it is as I said. I don't have the

worm, but someone who has it also

has my e-mail address (in an address book), and the messages orignate from outside my system. I have been
flooded with fake security patch, upgrade, etc. messages. They are all

about 150K in size an quickly fill

up my allocation of space on the earthlink mail server. I have to go up and purge them. I talked to
earthlink about this and they said to change my userid. I did, and then

contacted everyone in my personal

address book to update to my new e-mail address. For about 12 hours I got a few messages from people I
know. In the last hour I've started to see fake security messages dribble

in. Suggestions?

....

Gary Smith · Sep 22, 2003

dcdon said:
If a worm sends email out to everone in your address book, you will get all
of these sent back to by your server with mailer_daemon attached telling you
these are invalid addresses and were returned to you, because you sent them.
That is the ones that don't have their own smtp server. Like the Micorsoft
deal, set Rules in your email porgram to delete all those that come in from
those who have your address in their address books.

How is that going to help?

Gary Smith · Sep 22, 2003

Wayne Watson said:
Thanks. If I understand this correctly, it is as I said. I don't have the worm, but someone who has it also
has my e-mail address (in an address book), and the messages orignate from outside my system. I have been
flooded with fake security patch, upgrade, etc. messages. They are all about 150K in size an quickly fill
up my allocation of space on the earthlink mail server. I have to go up and purge them. I talked to
earthlink about this and they said to change my userid. I did, and then contacted everyone in my personal
address book to update to my new e-mail address. For about 12 hours I got a few messages from people I
know. In the last hour I've started to see fake security messages dribble in. Suggestions?

Posting in these newsgroups with a real email address is an excellent way
to get on the mailing list for this thing. Intentionally or not, it's
functioning as a denial-of-service attack, filling up the mailboxes of the
unwary and causing possibly legitimate messages to be refused. Unless
your ISP provides a means of filtering based on the presence or size of
attachments, filtering then out is a lot of work.

Wayne Watson · Sep 22, 2003

Let me clarify things. My machine does not have the worm. My NAV scan tells me that. I used definitions from
9/18/2003. When I changed my e-mail address within 12 hours fake security messages started dribbling in, but not
the torrent I had before. I had distributed my new address to folks in my personal address book. I think it's
fair to assume that one of their machines has the worm. To put an end to it, I need to find out which one has the
worm.

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

Steve M (remove wax for reply) · Sep 22, 2003

Let me clarify things. My machine does not have the worm. My NAV scan tells me that. I used definitions from
9/18/2003. When I changed my e-mail address within 12 hours fake security messages started dribbling in, but not
the torrent I had before. I had distributed my new address to folks in my personal address book. I think it's
fair to assume that one of their machines has the worm. To put an end to it, I need to find out which one has the
worm.

http://www.technewsworld.com/perl/story/31627.html

"Swen, a "highly complex" worm, communicates with a remote Web site to
track its own infections, which as of Friday morning was at more than
1.4 million computers."

Good luck finding the infected computer. My own experience is, if you
mail your suspicion to everybody in your address book, the ones that
actually have the infection will be clueless.

Unless you only correspond with an exceptionally computer-savvy group
of people, and in that case they wouldn't have the infection anyway.

What's more, your address is in the Swen database now. Like mine.

"Welcome to the world of Swen".

Wayne Watson · Sep 22, 2003

How do you explain that when I changed e-mail addresses, I began getting fake messages within 12 hours? I have four
this morning. How could it harvest my address so quickly? This occurred before I posted to a public location like this
newsgroup. If it keeps a database of usrids, I would think it is a big central operation, and might be more easily
susceptible to detection.

Here's a potential solution among my not necessarily computer savvy friends. I selectively ask them to remove me from
their address books. If I see a drop off in fake messages during a period where I'm out of their books, I can then ask
them to run a virus check. It seems there ought to be an easier way to detect the presence of the worm on a system
other than running a virus check. One would only be looking for a specific worm, so it seems unnecessary to run a
system check on a large set of viruses. I would think there are a handful of files that if present or missing would
determine whether the worm is present.

Steve M (remove wax for reply) said:
http://www.technewsworld.com/perl/story/31627.html

"Swen, a "highly complex" worm, communicates with a remote Web site to
track its own infections, which as of Friday morning was at more than
1.4 million computers."

Good luck finding the infected computer. My own experience is, if you
mail your suspicion to everybody in your address book, the ones that
actually have the infection will be clueless.

Unless you only correspond with an exceptionally computer-savvy group
of people, and in that case they wouldn't have the infection anyway.

What's more, your address is in the Swen database now. Like mine.

"Welcome to the world of Swen".

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

Evi · Sep 22, 2003

According to
http://www.bitdefender.com/html/virusinfo.php?menu_id=1&v_id=158
the main symptom is that the user won't be able to run Registry Editor. So,
presumably, if he goes to Start, Run and types in
Regedit
nothing will happen or he'll get some kind of error message.

Evi

Wayne Watson said:
How do you explain that when I changed e-mail addresses, I began getting

fake messages within 12 hours? I have four

this morning. How could it harvest my address so quickly? This occurred

before I posted to a public location like this

newsgroup. If it keeps a database of usrids, I would think it is a big

central operation, and might be more easily

susceptible to detection.

Here's a potential solution among my not necessarily computer savvy

friends. I selectively ask them to remove me from

their address books. If I see a drop off in fake messages during a period

where I'm out of their books, I can then ask

them to run a virus check. It seems there ought to be an easier way to

detect the presence of the worm on a system

other than running a virus check. One would only be looking for a specific

worm, so it seems unnecessary to run a

system check on a large set of viruses. I would think there are a handful

of files that if present or missing would

Wayne Watson · Sep 22, 2003

Thanks. I fired off a message to ELinks abuse people, and to Symantec this morning. Maybe they can
give me a clue. If that fails, then I'll start asking people to withdraw my e-mail address from
their address books until I see the fake spam stop.

According to
http://www.bitdefender.com/html/virusinfo.php?menu_id=1&v_id=158
the main symptom is that the user won't be able to run Registry Editor. So,
presumably, if he goes to Start, Run and types in
Regedit
nothing will happen or he'll get some kind of error message.

Evi

fake messages within 12 hours? I have four
before I posted to a public location like this
central operation, and might be more easily
friends. I selectively ask them to remove me from
where I'm out of their books, I can then ask
detect the presence of the worm on a system
worm, so it seems unnecessary to run a
of files that if present or missing would

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

Wayne Watson · Sep 23, 2003

I'm running on a PPro 200Mhz bought in 1996. Slow by modern standards but very reliable.

Dang, how much do you have on your HDD that you don't get off of it
timely.?
I have 75,000 files and it takes about 10 minutes.

don
------

One other bit of information. I ran a NAV check on my entire system a short
while ago. It took two hours and I
had updated my virus defs on 9/18. Swen was one in the list of defs. No
viruses were detected.

worm, but someone who has it also
about 150K in size an quickly fill
contacted everyone in my personal
in. Suggestions?

...

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

Gary Smith · Sep 25, 2003

Wayne Watson said:
How do you explain that when I changed e-mail addresses, I began getting fake messages within 12 hours? I have four
this morning. How could it harvest my address so quickly? This occurred before I posted to a public location like this
newsgroup. If it keeps a database of usrids, I would think it is a big central operation, and might be more easily
susceptible to detection.

It appears that the worm, or somebody sending out the worm, is able to
obtain email addresses from some mail servers. I received two messages at
an address that has never been used for outgoing mail, never been used on
Usenet, and never been given to anyone. Only the ISP ans I know about it.
On the other hand, if you were generating possible addresses and
attempting to verify them, it wouldb't take you very long to come up with
it.

My experience suggests that the major sources of addresses are Usenet
postings and web sites.

W. Watson · Sep 26, 2003

Found it. A friend loaded it onto his system. He's now removed it. However, a "bug announcement", Notice, "Error
Announcement", "Returned mail..." worm seems to be sending me stuff to. Not nearly as bad as swen.

Gary said:
It appears that the worm, or somebody sending out the worm, is able to
obtain email addresses from some mail servers. I received two messages at
an address that has never been used for outgoing mail, never been used on
Usenet, and never been given to anyone. Only the ISP ans I know about it.
On the other hand, if you were generating possible addresses and
attempting to verify them, it wouldb't take you very long to come up with
it.

My experience suggests that the major sources of addresses are Usenet
postings and web sites.

--
Wayne T. Watson (121.015 Deg. W, 39.262 Deg. N, 2,701 feet, Nevada City, CA)
-- GMT-8 hr std. time, RJ Rcvr 39° 8' 0" N, 121° 1' 0" W

Remember to drink an adequate amount of dihydrogen oxide each day.

Web Page: <home.earthlink.net/~mtnviews>
Imaginarium Museum: <home.earthlink.net/~mtnviews/imaginarium.html>

Another Worm. Can You Identify It by Name?	1	Sep 26, 2003
Office Auto Hide Bar	1	Dec 31, 2003
RealNetworks Event Launcher?	5	Jan 5, 2004
Two Display in W2000?	9	Mar 18, 2004
NT (Pro) to W2000 Pro w/o NT?	2	Dec 29, 2003
S-Video to Composite as Second Monitor	6	Mar 23, 2004
Downloading SP 4.0?	4	Sep 29, 2003
Install Produces E drive instead of C	5	Jan 1, 2004

Swen Worm--How does it work?

Wayne Watson

BT

Wayne Watson

Wayne Watson

Evi

Wayne Watson

Wayne Watson

dcdon

dcdon

Gary Smith

Gary Smith

Wayne Watson

Steve M (remove wax for reply)

Wayne Watson

Evi

Wayne Watson

Wayne Watson

Gary Smith

W. Watson

Ask a Question

Similar Threads